- Netflix and YouTube are about to interrupt your watch party with AI ads
- This affordable Suunto smartwatch made me forget about my Garmin for a week
- I went hands-on with every new Acer laptop from its 2025 lineup. Here's what stood out
- US and UAE collaborate on AI megaproject to boost regional innovation
- US Officials Impersonated Via SMS and Voice Deepfakes
Healthcare Cyber-Attacks Intensify, Sector Now Prime Target
Cyber-attacks targeting healthcare have “noticeably increased” in intensity, with the sector suffering more incidents than other key industries in 2024, according to new data from Darktrace.
The cybersecurity vendor revealed it responded to 45 cybersecurity incidents impacting healthcare organizations last year.
This was higher than finance (37), energy (22), insurance (14) and telecoms (12).
A key factor in the growing targeting of healthcare is the lucrative nature of the sector. Darktrace noted that globally, data breaches cost more in healthcare than any other industry, averaging $10m between 2020 and 2024.
Nicole Wong, Principal Cyber Analyst at Darktrace, told Infosecurity: “Healthcare being one of the most targeted sectors aligns with trends we’ve observed for some time, though the intensity has noticeably increased in 2024. Hospitals and healthcare providers store vast amounts of personal and sensitive patient data, making them prime targets for data breaches, ransomware and other cyber-attacks.”
She added: “The sensitive nature of patient information, combined with the potential for disruption to critical services, creates a high-value target for attackers. Additionally, healthcare’s significance as critical national infrastructure makes it particularly attractive for politically motivated threat actors operating based on national interests.”
How Attackers Are Compromising Healthcare
The new report highlighted that phishing (32%) and exploitation of edge infrastructure vulnerabilities (36%) collectively made up over two-thirds of healthcare compromises.
The remainder included exposed ports, misconfigurations and end-of-life device exploitation.
This is a similar pattern to attacks in other industries, Wong said.
Notably, 75% of healthcare network intrusions were business email or cloud account compromise that did not escalate to ransomware or data exfiltration. This suggests the attackers are laying the foundations for further gain.
“This mirrors the type of multi-stage attacks APT groups typically conduct and implies an overall increase in capability of the threat actors targeting healthcare that security teams should prepare for,” the report noted.
Tailored Phishing Attacks
The researchers have observed phishing attacks becoming more targeted against healthcare. For example, one in three targeted VIP users, indicating that threat actors are focusing on individuals with greater access privileges or decision-making authority.
In addition, Darktrace observed that a “significant proportion” of phishing emails in 2024 either impersonated a supplier or originated from a compromised supplier account.
Nahisha Nobregas, Senior Cyber Analyst at Darktrace, said: “This represents a concerning evolution as it exploits the trust relationship between healthcare providers and their vendors, making detection more challenging since the communications appear to come from legitimate business partners.”
Vulnerability Exploitation
Darktrace said its incident data showed that attackers frequently exploited edge infrastructure devices from vendors such as Citrix, Cisco, Fortinet and Ivanti.
The types of healthcare firms affected by these exploits ranged from equipment suppliers to non-critical care providers.
Expanding Healthcare Attack Surface
The researchers warned that healthcare organizations’ attack surfaces are widening, providing more opportunities for threat actors.
This includes the rising use of cloud services widening the SaaS footprint, the integration of more third-party devices and services and growth in Medical Internet of Things (IoMT) devices.
Darktrace highlighted its detection of a digital imaging device infected with the PurpleFox rootkit and DirtyMoe malware as an example of how specialized medical devices have become another vulnerable operating system.
In this case, there appeared to be no intention of compromising protected health information. Rather, the attackers were looking to use the device to gain a foothold in the network as part of a wider attack on the network.
“It underscores the reality that defenders need to continuously monitor clinical devices just like any other device in IT infrastructure. This discovery reinforces the need for comprehensive security monitoring that extends beyond traditional IT systems to include specialized medical equipment,” warned Patrick Anjos, Senior Cyber Analyst at Darktrace.
